CVE-2013-3317

Vulnerability

The web server on Netgear WNR1000v3 routers running firmware versions before 1.0.2.60 contains an authentication bypass vulnerability. The server skips authentication checks for URLs that include the substring .jpg, enabling unauthenticated access to sensitive resources. Specifically, an attacker can retrieve the device configuration file by requesting http:///NETGEAR_fwpt.cfg?.jpg. The configuration file is encrypted using a weak DES-based scheme with a key derived from the string NtgrBak [1].

Exploitation

An attacker with network access to the router can exploit this vulnerability by sending a crafted HTTP request to the vulnerable URL without any authentication. The retrieved configuration file is encrypted, but the encryption algorithm is trivial and can be reversed using a publicly available Python script that derives the DES key from NtgrBak. Once decrypted, the configuration file reveals the clear-text password for the admin user [1].

Impact

Successful exploitation allows an attacker to obtain the administrative password and gain full administrative access to the router. This compromises the confidentiality, integrity, and availability of the device and the network it manages, potentially enabling further attacks such as DNS hijacking, traffic interception, or lateral movement within the network.

Mitigation

The vulnerability is fixed in firmware version 1.0.2.60 and later. Users should upgrade to the latest firmware available from Netgear. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.